Super fund hack Super funds hit in cyberattack

Several of Australia’s largest super funds including AustralianSuper, Rest, and Insignia have been hit by a cyberattack, with stolen passwords used to target members’ accounts.

The National Cyber Security Coordinator, Lieutenant General Michelle McGuinness, confirmed that federal authorities were aware of the breach.

“I am aware cybercriminals are targeting individual account holders of a number of superannuation funds,” Lieutenant General McGuinness said.

“I am coordinating engagement across the Australian Government, including with the financial system regulators, and with industry stakeholders to provide cyber security advice.

“If you have been impacted or are concerned you may have been impacted, follow the advice provided by your super fund.”

9News has confirmed that at least four AustralianSuper customers have had funds stolen in the attack, with losses believed to be in the “low hundreds of thousands”.

AustralianSuper’s Chief Member Officer Rose Kerlin said the fund had seen a spike in suspicious activity in the last week.

“Over the past week, we have seen a spike in suspicious activity across our member portal and mobile app and we are urging members to take steps to protect themselves online,” Kerlin said.  

“This week we identified that cybercriminals may have used up to 600 members’ stolen passwords to log into their accounts in attempts to commit fraud,” she said.

“While we took immediate action to lock these accounts and let those members know.”

The fund, which holds assets of $360 billion, encouraged its members to log into their account to check that their bank account and contact details were correct.

Insignia Financial said they were aware of a “malicious third party” attempting to access their member’s accounts.

“This activity, known as credential stuffing, involved an unusual number of login attempts targeting the Insignia Financial Expand platform,” a spokesperson for the fund said. 

Credential stuffing refers to a kind of cyberattack where criminals use stolen passwords and email addresses to make repeated attempts to log in to private systems.

Rest super also said they had been targeted, but said that no member’s funds had been withdrawn.

“No member funds were transferred out of impacted members’ accounts due to these unauthorised access attempts,” Rest’s Chief Executive Vicki Doyle said.

The full scale of the breach is not yet known, but it is believed that multiple super funds have been affected by data breaches.